GandCrab: The Importance of Rapid Response to Fast Moving Ransomware

June 27, 2019 | 1 min read

BlueVoyant

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

GandCrab is one of the most successful forms of ransomware. It accounts for over 40% of all ransomware infections. It first emerged in January 2018 and is continuously evolving to evade detection and defeat the latest decryptors. The sophistication of GandCrab lies in its business model. It operates under an affiliate program. It is distributed as Ransomware-as-a-Service in exchange for a percentage of the profits.

The BlueVoyant SOC has successfully defended against GandCrab. We have observed multi-vector distribution, including spam emails, exploit kits and other affiliated malware campaigns. GandCrab can infect a host in less than three minutes. It is designed for fast movement and compromise an entire network before organizations can respond.

In our latest response to GandCrab, the attack started when a 3rd party vendor connected an infected device to our client’s network, infecting a host. GandCrab then initiated several DNS connections to Command and Control (C2) sites, uploading host metadata and downloading malicious files to fully encrypt all files on the host. Our SOC analysts recognized the DNS connections were to unknown IPs and attributed the infection to GandCrab.

We know that GandCrab has a worm mechanism that looks for port 445 (SMB), used for file sharing. Using this knowledge, we quickly discovered that GandCrab was dropped on a file server. We mitigated the infection to this host to preventing accelerated lateral movement across the network.

In our experience, Next Generation Antivirus (NGAV) cannot detect this type of activity out-of-the-box. GandCrab requires careful monitoring and special tuning to terminate known malicious processes. It also requires manual intervention to eradicate the malware completely. The BlueVoyant SOC immediately updated the necessary controls into the NextGen AV policies.

Staying ahead of this evolving threat requires continuous monitoring combined with rapid response and mitigation. It requires a SOC with experienced security analysts supported by a best-in-class security tools. In this case the BlueVoyant SOC limited the infection to only two devices, terminating the attack before the entire network was compromised.